By Trey Herr
“Governments writing viruses...today, we sort of take that for granted. But ten years ago, that would have been science fiction.”
In the last half-decade, governments have become some of the most sophisticated proliferators of malicious software. What has changed isn’t the behavior of states so much as the scope of our understanding of their activities. Recognizing this and adapting to it requires a shift in mindset, namely: it isn’t all malware anymore.
State-authored malicious software, milware, constitutes a new class of code whose priorities and sophistication are different from that employed by everyone from Metasploit loving script kiddies to well-obfuscated Eastern European groups. Malware is largely designed to get scattershot access to systems and execute where it finds a foothold. Milware has a narrow target set and wants access first, effects later. Even where data exfiltration and not destructive effects are the name of the game, milware has specific non-financially motivated targets and tends to be harmed by widespread propagation. Failing to make this distinction, information security communities, academic and commercial alike, have conflated the capabilities and intentions of criminal groups with those of states.
States were always going to be players in the malicious information security space; the opportunities presented by massive troves of public and private data stored on a crazy cocktail of fundamentally insecure development languages and slow on average patching means states were destined to be writing and deploying their own malicious code. What the research and policy community failed to consider is that this code would not fully overlap with the complexity, goals, and techniques of malicious code written by individuals and non-state actors. Limited reporting on Russian and now allegedly US authored code demonstrates that milware, malicious software written by states, has begun to emerge as a separate category from malware, authored by non-state actors. They differ in aims, malware tends to target as much as possible in order for a small order chance at success in any individual infection to yield appreciable return while milware prioritizes access to as many systems within a small target set as possible. With greater financial and human capital resources as well as the ability to influence manufacturers, vendors, and the very routing architecture of the web, milware poses several challenges to the status-quo.
First, information security research and commercial defense is oriented around a traditional “sunlight is the best disinfectant” model whereby information about actors and their techniques is expected to dissuade attackers and aid defenders when brought to public light. While the publication and circulation of information about milware is useful as a research tool, several years of slick and shiny APT reports, including a trove of information on Chinese and Russian activities and recent revelations by Kaspersky about a US espionage framework in place for almost 14 years, seems to have done little to dissuade milware development or deployment. In large part this is because milware reverses the traditional hierarchy of information security, where hackers are operating at the edge or outside of the law – their existence a product of the confluence of fundamental insecurity in most commercial software and opportunities for financial gain. States, to a very rough extent, are the law and have little to fear from the likes of Kaspersky or McAfee playing defense against them.
Second, it has been established (though not yet well studied) that a market like mechanism exists for groups to buy, sell, and trade components of malicious software. While estimates of the prices and popularity of different tools is a subject of debate, there can be little doubt that the vastly deeper pockets of state actors will impact these markets. The rise of milware may be pricing software vendors and other defensive organizations, operating through bug bounty programs out of the market. More insidiously, the presence of states with financial resources to burn and an appetite for the latest and greatest vulnerabilities in widely used commercial software may well encourage substantial growth in the number and talent of individuals who participate in this market as sellers. As the prospect for financial gain increases, more and more people join in to sell their malicious wares to the highest bidder. Milware then offers the prospect of becoming a driving force in the sophistication and variety of malicious software components, especially vulnerabilities, available on the web
Third, the legal and regulatory apparatus in place in many states, especially the U.S., privileges proper defense of networks and information systems rather than holding liable the manufacturers of software and hardware in place on these networks. Milware takes advantage of this status-quo by prioritizing the acquisition and maintenance of access to targeted systems over deploying particular effects. This trade is enabled by a willingness by the majority of information security vendors to focus on detecting and mitigating known threats over discovery of vulnerabilities in widely used software and hardware. States are daring software vendors to build better software with the expectation that they can continue to beat information security vendors and existing security practices at the network and system level.
Malware, distributed by individuals and non-state actors, prioritizes effects over access – the particular machine compromised by an infection is less consequential than the successful execution of code to bring about the manipulation or data theft intended. This is because most malware targets certain resource types within vast networks, banking credentials or PII, rather than the data tied to an individual. Milware, by contrast, is concerned with access to more narrowly tailored targets. For some applications, this is to guarantee the ability to deliver effects, destructive or not, at some later date. For others, it translates into data theft but only of certain types.
Fourth, existing legal tools for the location and prosecution of malware authors and distributors, already weak, presume targets that can be subject to a state’s jurisdiction. Milware, developed and deployed by states, renders these tools little more than a rhetorical tool. The forums and law used to pursue non-state actors are far different than those used against states. A cooperative, hierarchical model exists in the infrequent collaboration between national law enforcement agencies tasked with cybercrime. Limiting the use (difficult) or development (improbable) of milware is an inter-state monitoring and enforcement task more akin to conventional heavy arms sales or export control restrictions. Non-state actors can be pursued and prosecuted but states and their milware will largely be subject only to the state’s own willingness to self-restrain or the ability for other states to compel the same. This constitutes a parallel enforcement and mitigation problem for all parties - malware tends to be large scale and much is indiscriminate. Milware by contrast is focused on small target sets is distributed by actors with who are substantively different in terms of motivation, resources, and dependence on other entities. Malware is a regulation and law enforcement problem. Milware is a norms problem.
Malicious software has long been used to describe a range of threats but broad overuse of the term malware, covering everything from the trope of basement dwelling teenaged hackers to the modern much marketed Advanced Persistent Threat, has harmed our ability to specify the range and variety of threats in the information security space. The idea of state authored code, milware, as a separate category highlights a set of challenges to the existing legal, research, and security paradigm.
 Trey Herr is a Senior Research Associate with the Cyber Security Policy and Research Institute and a doctoral candidate in Political Science at George Washington University. He works on malware and national security policy.
 Mikko Hypponen, presentation at TrustyCon, 27FEB14
 Kaspersky. ‘"Red October": detailed malware description 1, first stage of attack’”. https://www.securelist.com/en/analysis/204792265/Red_October_Detailed_Malware_Description_1_First_Stage_of_Attack, 2013
 Kaspersky Labs Research Team. “Equation: The death star of malware galaxy”. https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/, February 2014.